FTC Warns Against Log4j Vulnerabilities

The commission will hold companies legally responsible for any data breaches as a result of Log4j.

January 06, 2022

Person Typing

ALEXANDRIA, Va.—The Federal Trade Commission (FTC) has warned companies to protect their software against a popular Java logging package Logj4, which is a widespread security vulnerability. Log4j is a ubiquitous piece of software used to record activities in a wide range of systems found in consumer-facing products and services.

“When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms. ... It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action,” wrote the FTC in a blog post.

The FTC used the example of the Equifax security breach, where the company failed to patch a known vulnerability which irreversibly exposed the personal information of 147 million consumers. Equifax was forced to pay $700 million to settle actions by the FTC, the Consumer Financial Protection Bureau and all 50 states.

“The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,” wrote the FTC.

Companies can check if they use the Log4j software library by consulting the Cybersecurity and Infrastructure Security Agency guidance. If the software is being used, here’s what to do.

NACS Daily shared five steps companies can take to help avoid the Log4j vulnerability.